Paul Whitehouse had a Fast Show character called Archie, a pub bore constantly talking about a chosen profession being the “hardest game in the world… done it meself see..”. Whilst I loved (most of) my five years as a local government FOI officer, I have my Archie moments about it, especially when I remember certain vexatious applicants and the occasional officer who thought FOI was a personal slight I had devised for them. The FOI officers of some councils, government departments and universities have clearly inherited the most hemlock-heavy poisoned chalices, stuck with unpopular decisions, controversial work, or the attentions of Phillip Morris. Ladies and Gentlemen, I salute you all (and I am available if you want me to train your staff). Nevertheless, doing FOI for the ICO and regulating its own decisions is probably the hardest game in the FOI world.
I’ve been writing a book over the summer and stopped reading and doing a lot of things to get it finished. Which didn’t work. While ensconced, I missed a Tribunal FOI case in July about the notorious Consulting Association blacklist, which included harsh comments about the Information Commissioner’s handling of FOI requests, and its investigation into its own response.
The decision is here: http://tinyurl.com/3ep22vum, and the relevant section is on page 31, paragraph 99 onwards.
A union official requested information from the ICO about his union and its members on the Consulting Association’s databases. The ICO seized the list in 2009, and subsequently prosecuted its owner Ian Kerr for non-notification (its actions had already effectively put him out of business). They also served Enforcement Notices on many construction companies who bought access to the blacklist. Like the What Price Privacy report, the CA case proves that the ICO really can deliver the goods (and raises the question of why such triumphs are not more common).
However, the Tribunal’s verdict on this request exemplifies something slightly less glorious. The Tribunal draws attention to two aspects of the ICO’s handling of the case. First, the initial refusal of Richie’s request was based on the cost, despite a subsequent admission that the information would always have been refused because of the statutory prohibition on disclosure in Section 59 of the Data Protection Act. They also brought up the personal data exemption at the Tribunal, having not previously mentioned it. In light of the fact that organisations take their cue from the ICO’s handling of its own requests, the Tribunal described the late reference to new exemptions as ‘inexcusable’. Ouch.
The second issue is at the very end, where the Tribunal describes the ICO’s investigation of the case wearing its FOI regulator’s hat as ‘lacking in real challenge’. Ouch again. Ultimately, the union complaint failed because the ICO was entitled to refuse, but the case raises some questions.
Everyone – applicants, public authorities, and journalists – expects ICO staff to be omniscient and infallible. This is probably even more so for the people who provide the service that the ICO is supposed to regulate for everyone else. This is unfair and unrealistic, but it is nevertheless a fact of life. When I worked there long ago, a rather supercilious (now former) senior officer told me that people needed to do as the ICO said, not as they did. This was two Commissioners ago, but it still doesn’t cut it.
The ICO has to be 100% on the ball with its handling of its own FOI and Data Protection, however difficult that is. Anyone dealing with FOI requests made to the ICO, whether answering them or reviewing them needs the time and space to consider not only the straightforward issues of ‘should we give this out?’, but what does our guidance say, how will this look, and have we ever said to someone else that they shouldn’t do what we’re about to do? I hope they get that space. The ICO should have the most well-funded, well-resourced and well-supported FOI and DP compliance team in the UK, precisely because the Tribunal says that they should be an exemplar. I don’t know whether they have, but I doubt it. In every organisation I have ever worked, there have been more PR people than compliance people, and I bet the ICO is the same.
If all this comes across as a criticism of the people involved in the Richie decision, it shouldn’t, and I apologise if it does. I would have hated it as an FOI officer if some private sector know-all sneered at my work from the sidelines, and I have probably never done a job as tricky as regulating a regulator. But smart-arsed bloggers are another symptom of the ICO’s position in the shop window. It’s a dirty job, but somebody’s got to do it.
And anyway, doing health and safety for the HSE, that’s the hardest game in world….